VDB

GCVE-110-OSM-2026-5715

GCVE-110-OSM-2026-5715
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 11, 2026
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity, obfuscated code. Entrypoint: lib/index.cjs.js (main: lib/index.cjs.js) Exfil: 8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY (telegram-bot, recovery: plaintext in lib/index.cjs.js) Payload: lib/index.cjs.js Secondary files: lib/index.esm.js, lib/index.iife.js Key findings: - Download Execute Delete Pattern in lib/index.cjs.js: "writeFileSync(tf,cr);cp.execSync('(crontab -l 2>/dev/null|grep -v csf6;cat '+tf+..." - Download Execute Delete Pattern in lib/index.esm.js: "writeFileSync(tf,cr);cp.execSync('(crontab -l 2>/dev/null|grep -v csf6;cat '+tf+..." - Corporate Environment Targeting in lib/index.iife.js: "tmost min(nBitLen, outLen) bits, which match" - Chai-Max Wallet Theft Indicators in package.json: "solana-wallet" - Data Encoding for Exfiltration in lib/index.browser.cjs.js: "Buffer.from(wireTransaction).toString('base64')" IOCs: - ipv4: 104.239.66.223, 13.3.3.7, 4.2.1.2 - urls: https://bargsten.org/jsts/enums/, https://docs.solana.com/implemented-proposals/ed_overview, https://api.testnet.solana.com, https://docs.rs/solana-stake-program/latest/solana_stake_program/stake_state/enum.StakeStateV2.html, https://docs.rs/solana-vote-program/1.9.5/solana_vote_program/vote_state/struct.VoteState.html#method.size_of (+45 more) - domains: bargsten.org, solana.com, docs.solana.com, api.testnet.solana.com, api.devnet.solana.com (+28 more) - emails: dead_horse@qq.com, maintainers@solanalabs.com - telegramBots: 8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY - bitcoinAddresses: 11111111111111111111111111111111 - sha256Hashes: 0100000000000000000000000000000000000000000000000000000000000000, c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a, 0000000000000000000000000000000000000000000000000000000000000080, 26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05, ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f (+3 more) - payloadFileHash: f5d62c50dac9bc82c50b7b5a3b230009127f1f4b04d766db109fcb7a80b86262

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownsolana-web3-communityall (affected)

References

advisory
vendor

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›